Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus


  • Please log in to reply

#16
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I downloaded the killbox program.
Is there anything else I need to do, other than add the path to the file, after I do the following:
Use the Replace on Reboot option and put a checkmark in the Use dummy box.

Do I just close the program and it automatically does it when I restart windows?

Exploring around in the Killbox program I found:
tools--> go to SessionManager --> and it opened up the registry editor. I did a search for sqll.dll -- can I delete the file from there?
  • 0

Advertisements


#17
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I downloaded the killbox program.
Is there anything else I need to do, other than add the path to the file, after I do the following:
Use the Replace on Reboot option and put a checkmark in the Use dummy box.

Do I just close the program and it automatically does it when I restart windows?

Exploring around in the Killbox program I found:
tools--> go to SessionManager --> and it opened up the registry editor. I did a search for sqll.dll -- can I delete the file from there?
  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

I downloaded the killbox program.
Is there anything else I need to do, other than add the path to the file, after I do the following:
Use the Replace on Reboot option and put a checkmark in the Use dummy box.

Do I just close the program and it automatically does it when I restart windows?

View Post


There is a button Round, Red with a white X in the middle.
When you press that the delete will be executed using the options you set..

Regards,

Pieter
  • 0

#19
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Killbox didn't work.
The file is still there!!

:tazz:
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Put sqll.dll in the dialog box.

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Regards,

Pieter
  • 0

#21
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Cool, here's the log from that.........


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "sqll.dll" 1/11/2005 2:40:52 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-2271268274-1911181710-1932705723-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\WINDOWS\\system32\\sqll.dll"

[HKEY_USERS\S-1-5-21-2271268274-1911181710-1932705723-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\WINDOWS\\system32\\sqll.dll"
  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Look what I found:

http://www.grisoft.c...hp?id=bagbugnet

Can you try that please and let me know.

The above is just showing that you have looked for that file on your computer.

Regards,

Pieter
  • 0

#23
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:tazz:

Did not work.
The program did not detect that particular virus.
It reported 0 Infections & 0 repairs.

The file is still there as well. Just doesn't want to go away.
Bizzare.
  • 0

#24
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
I hope this shows us something useful.

Regards,

Pieter
  • 0

#25
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, I got the program but when I click on find.bat the program pops up then disappears.
I waited for an output.txt but it never appeared.
I tried this several times and the same things seems to happen.
?????
  • 0

Advertisements


#26
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
You did unzip everything into ONE folder on the C: drive ?

Open TaskManager (ctrl-Alt-Del).
Can you check after running FindIt if you can see strings.exe in your running processes ?

It can really take a long time. Up to half an hour on my computer. Depends on the size of the C: partition and what else is running.

Regards,

Pieter

Edited by Metallica, 14 January 2005 - 04:27 AM.

  • 0

#27
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, thanks, I figured it out. I put it in it's own folder and it seemed to work.
AVG showed a new virus today along with the previous one "Backdoor.Agent.BA"
This one says "trojan horse virus Downloader.Delf.6.V" under the file name "msshed32.exe"

Here is the log from the findit prog.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find-It\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E

Directory of C:\WINDOWS\System32

01/14/2005 09:45 PM <DIR> dllcache
01/05/2005 04:52 PM 32 {ABCB3E21-D9C6-46DE-8254-D5A092D59F70}.dat
12/28/2004 11:44 AM 159,582 3n5pi.exe
12/22/2004 10:31 PM 228,777 kbrr.sys
12/22/2004 10:31 PM 360,444 jc6eta.dll
12/22/2004 10:31 PM 201,631 o0eb0.exe
10/28/2002 10:28 AM <DIR> Microsoft
5 File(s) 950,466 bytes
2 Dir(s) 64,657,981,440 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E

Directory of C:\WINDOWS\System32

01/14/2005 09:45 PM <DIR> dllcache
01/05/2005 04:52 PM 32 {ABCB3E21-D9C6-46DE-8254-D5A092D59F70}.dat
12/28/2004 11:44 AM 159,582 3n5pi.exe
12/22/2004 10:31 PM 228,777 kbrr.sys
12/22/2004 10:31 PM 360,444 jc6eta.dll
12/22/2004 10:31 PM 201,631 o0eb0.exe
10/28/2002 09:34 AM 488 logonui.exe.manifest
10/28/2002 09:34 AM 488 WindowsLogon.manifest
10/28/2002 09:34 AM 749 sapi.cpl.manifest
10/28/2002 09:34 AM 749 nwc.cpl.manifest
10/28/2002 09:34 AM 749 wuaucpl.cpl.manifest
10/28/2002 09:34 AM 749 ncpa.cpl.manifest
10/28/2002 09:34 AM 749 cdplayer.exe.manifest
12 File(s) 955,187 bytes
1 Dir(s) 64,657,977,344 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C37-B14E

Directory of C:\WINDOWS\System32

08/29/2002 11:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 64,657,977,344 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
3n5pi.exe Tue Dec 28 2004 11:44:50a ..SHR 159,582 155.84 K
jc6eta.dll Wed Dec 22 2004 10:31:22p ..SHR 360,444 351.99 K
kbrr.sys Wed Dec 22 2004 10:31:22p ..SHR 228,777 223.41 K
o0eb0.exe Wed Dec 22 2004 10:31:22p ..SHR 201,631 196.90 K
{abcb3~1.dat Wed Jan 5 2005 4:52:14p A.SH. 32 0.03 K

5 items found: 5 files, 0 directories.
Total of file sizes: 950,466 bytes 928.19 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\OutLook.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"WinampAgent"="\"C:\\Program Files\\Winamp\\Winampa.exe\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"



  • 0

#28
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I think I found the culprit.

Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\System32\3n5pi.exe
C:\WINDOWS\System32\kbrr.sys
C:\WINDOWS\System32\jc6eta.dll
C:\WINDOWS\System32\o0eb0.exe
C:\WINDOWS\System32\OutLook.exe <= save till last

Reboot and check here how to "unhide" hidden files and folders: http://www.tacktech....ay.cfm?ttid=192

Then find the folder C:\!Submit\[Date]\OutLook.exe
Zip that file up and send it to pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter
  • 0

#29
mewho

mewho

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ok, I used Killbox to delete those files.

I have checked the "unhide" files.
Though, I have been unsuccessful trying the following:

Then find the folder C:\!Submit\[Date]\OutLook.exe
Zip that file up and send it to pieterATwilderssecurity.org (replace AT with @)

How should the date be entered?
  • 0

#30
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Not sure if Killbox still even uses that [date] folder.

Did you find the !Submit folder and OutLook.exe inside ?

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP